lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 9 Dec 2019 00:31:55 +0100
From:   Florian Westphal <fw@...len.de>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
        Florian Westphal <fw@...len.de>,
        netfilter-devel@...r.kernel.org, netdev <netdev@...r.kernel.org>,
        Eric Dumazet <eric.dumazet@...il.com>,
        syzbot <syzkaller@...glegroups.com>
Subject: Re: [PATCH netfilter] netfilter: bridge: make sure to pull arp
 header in br_nf_forward_arp()

Eric Dumazet <edumazet@...gle.com> wrote:
> syzbot is kind enough to remind us we need to call skb_may_pull()

[..]

> Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Reported-by: syzbot <syzkaller@...glegroups.com>
> ---
> 
> Note: Fixes: tag does not point to real bug origin, but is old enough
>      to cover all stable versions.

Indeed, looks like a day0 bug.  We don't have this problem for ipv4/6
because the prerouting hook does pskb_may_pull() as part of ipv4/6
header checks.  Arp doesn't have anything like it.

>  		nf_bridge_pull_encap_header(skb);
>  	}
>  
> +	if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
> +		return NF_DROP;
> +
>  	if (arp_hdr(skb)->ar_pln != 4) {

Thats indeed the only location where we call NFPROTO_ARP hooks,
so this looks like the proper fix/location.

Thanks Eric!

Reviewed-by: Florian Westphal <fw@...len.de>

Powered by blists - more mailing lists